How Much is Enough (or, When Have You Taken “Reasonable” Steps to Protect Against Cybersecurity Threats)?

How Much is Enough (or, When Have You Taken “Reasonable” Steps to Protect Against Cybersecurity Threats)?

Authors: A. Jonathan Trafimow and Stephen E. Breidenbach

As technology continues to evolve and the law struggles to keep up, we are seeing more and more data protection statutes coming into existence. A number of these laws require businesses to implement reasonable standards, and do not specify what safeguards are reasonable. However, since agencies are permitted to interpret ambiguities in the meaning of the laws that they are given the power to enforce, we have seen them creating a minimum set of standards that each business should have in place through the use of guidelines and enforcement proceedings.

While what is reasonable will depend on what agencies govern you, we have seen the FTC (as well as other officials), the primary enforcer of cybersecurity and privacy, produce guides outlining a number of safeguards that businesses should have in place. Further, they are now requesting empirical data on whether the market currently supports efficient privacy and data security standards. As such, we can estimate that future arguments of whether a company reasonably protected their data will be directed toward these guidelines.

Businesses looking to escape costly fines should confer with counsel to determine what requirements apply to them and how to comply with them. Staying in compliance involves constant review as laws, agency guidelines and other information become available. Counsel can help in a number of ways, including by setting forth a company’s compliance procedures in a written information security policy, and by educating and training staff on changes in the law and how to comply. Further, protecting data requires companies to monitor and legally bind their service providers to implement reasonable safeguards. Counsel can assist in the drafting of data protection agreements and in the drafting of due diligence policies.

Jonathan Trafimow is a Partner at a law firm of Moritt Hock & Hamroff LLP. He Co-Chairs its Cybersecurity Practice Group and Chairs its Employment Law Practice Group. LinkedIn: 

Stephen E. Breidenbach is an Attorney at the law firm of Moritt Hock & Hamroff LLP and a Certified Information Privacy Professional/United States. He handles various legal matters related to Cybersecurity, Privacy and Technology. LinkedIn:

Thank You to Our Chapter Partners